Discussion:
setting up a client on Debian squeeze
(too old to reply)
Michał Dwużnik
2013-08-29 17:41:32 UTC
Permalink
Hi folks,

did anyone succeed in connecting such an old thing recently to freeipa
server?

Is there a document (or an archive post) about connecting a 'non ipa aware'
client step by step?
I got as far as woing Kerberos with no issues, hit a wall with ldap part..

Regards
Michal
--
Michal Dwuznik
Rob Crittenden
2013-08-29 17:56:31 UTC
Permalink
Post by Michał Dwużnik
Hi folks,
did anyone succeed in connecting such an old thing recently to freeipa
server?
Is there a document (or an archive post) about connecting a 'non ipa
aware' client step by step?
I got as far as woing Kerberos with no issues, hit a wall with ldap part..
You might try this:
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html

rob
Michał Dwużnik
2013-08-29 19:00:20 UTC
Permalink
As for now I have set up a 'known good' client on RH based distro, to get
the feeling how the config files
look like when configured correctly.

Thanks for the nice reference

M.
Post by Michał Dwużnik
Hi folks,
did anyone succeed in connecting such an old thing recently to freeipa
server?
Is there a document (or an archive post) about connecting a 'non ipa
aware' client step by step?
I got as far as woing Kerberos with no issues, hit a wall with ldap part..
You might try this: http://docs.fedoraproject.org/**
en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.html<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html>
rob
--
Michal Dwuznik
Michał Dwużnik
2013-08-29 23:49:37 UTC
Permalink
Ok, going step by step I did the following on squeeze:

set up ntp, time synced with ipa server

test setup is done on
ipa.localdomain (server)
client.localdomain
(client on Scientific Linux 6.4, looks ok after ipa-client-install, ssh
works for test users tester and tester2)

client2.localdomain is the Debian Squeeze client

added host client2.localdomain on IPA server, added 'managedby', got the
keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2

most important part of /etc/krb5.conf:

[realms]
LOCALDOMAIN = {
kdc = ipa.localdomain
admin_server = ipa.localdomain
}

[domain_realm]
.localdomain = LOCALDOMAIN
localdomain = LOCALDOMAIN
default_domain = localdomain

[libdefaults]
default_realm = LOCALDOMAIN


The following lets me think the KRB5 part of the setup is done correctly:

***@client2:/etc# kinit admin
Password for ***@LOCALDOMAIN:
***@client2:/etc# kdestroy
***@client2:/etc# kinit tester
Password for ***@LOCALDOMAIN:
***@client2:/etc# klis
-su: klis: command not found
***@client2:/etc# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: ***@LOCALDOMAIN

Valid starting Expires Service principal
08/30/13 00:35:50 08/31/13 00:35:47 krbtgt/***@LOCALDOMAIN


***@client2:/etc# kpasswd tester
Password for ***@LOCALDOMAIN:
Enter new password:
Enter it again:
Password changed.


I guess that's the point of snapshotting 'KRB done' state (can I be wrong?)

DNS for all the hosts involved is similar to:
***@client2:/etc# nslookup ipa
Server: 192.168.137.29
Address: 192.168.137.29#53

Name: ipa.localdomain
Address: 192.168.137.13

***@client2:/etc# nslookup 192.168.137.13
Server: 192.168.137.29
Address: 192.168.137.29#53

13.137.168.192.in-addr.arpa name = ipa.localdomain.

Now I guess it's time for certificates, where I do have some doubts...

I've added the SSH host keys via web interface, now the cert part:

having generated the CSR afte creating the new database:

certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN'
(in the /etc/pki dir) I paste the CSR and Issue the certificate for host

(/etc/pi contains newly created cert8.db key3.db secmod.db )

Which of those should be used to add the cert to?

(like certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i */path/to/*
ca.crt)

All of the tries result in:
***@client2:/etc/pki# certutil -A -d /etc/pki/cert8.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
***@client2:/etc/pki# certutil -A -d /etc/pki/secmod.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
***@client2:/etc/pki# certutil -A -d /etc/pki/key3.db -n "IPA CA" -t
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.

Could someone show me my mistake?

Regards
Michal
Post by Michał Dwużnik
As for now I have set up a 'known good' client on RH based distro, to get
the feeling how the config files
look like when configured correctly.
Thanks for the nice reference
M.
Post by Michał Dwużnik
Hi folks,
did anyone succeed in connecting such an old thing recently to freeipa
server?
Is there a document (or an archive post) about connecting a 'non ipa
aware' client step by step?
I got as far as woing Kerberos with no issues, hit a wall with ldap part..
You might try this: http://docs.fedoraproject.org/**
en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.html<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html>
rob
--
Michal Dwuznik
--
Michal Dwuznik
Michał Dwużnik
2013-08-30 00:12:01 UTC
Permalink
Sorry for quick continuation...

Certificate added to nss DB in /etc/pki
certutil -A -d /etc/pki/ -n "IPA CA" -t CT,C,C -a -i pki/ca.crt

sssd configured according to
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html

How do I test now, before changing PAM options that the pieces fit together?


(Sorry for being a bit too tired...)

M.
Post by Michał Dwużnik
set up ntp, time synced with ipa server
test setup is done on
ipa.localdomain (server)
client.localdomain
(client on Scientific Linux 6.4, looks ok after ipa-client-install, ssh
works for test users tester and tester2)
client2.localdomain is the Debian Squeeze client
added host client2.localdomain on IPA server, added 'managedby', got the
keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2
[realms]
LOCALDOMAIN = {
kdc = ipa.localdomain
admin_server = ipa.localdomain
}
[domain_realm]
.localdomain = LOCALDOMAIN
localdomain = LOCALDOMAIN
default_domain = localdomain
[libdefaults]
default_realm = LOCALDOMAIN
-su: klis: command not found
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
Password changed.
I guess that's the point of snapshotting 'KRB done' state (can I be wrong?)
Server: 192.168.137.29
Address: 192.168.137.29#53
Name: ipa.localdomain
Address: 192.168.137.13
Server: 192.168.137.29
Address: 192.168.137.29#53
13.137.168.192.in-addr.arpa name = ipa.localdomain.
Now I guess it's time for certificates, where I do have some doubts...
certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN'
(in the /etc/pki dir) I paste the CSR and Issue the certificate for host
(/etc/pi contains newly created cert8.db key3.db secmod.db )
Which of those should be used to add the cert to?
(like certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i */path/to/
*ca.crt)
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
Could someone show me my mistake?
Regards
Michal
Post by Michał Dwużnik
As for now I have set up a 'known good' client on RH based distro, to get
the feeling how the config files
look like when configured correctly.
Thanks for the nice reference
M.
Post by Michał Dwużnik
Hi folks,
did anyone succeed in connecting such an old thing recently to freeipa
server?
Is there a document (or an archive post) about connecting a 'non ipa
aware' client step by step?
I got as far as woing Kerberos with no issues, hit a wall with ldap part..
You might try this: http://docs.fedoraproject.org/**
en-US/Fedora/17/html/FreeIPA_**Guide/linux-manual.html<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html>
rob
--
Michal Dwuznik
--
Michal Dwuznik
--
Michal Dwuznik
Rob Crittenden
2013-08-30 02:04:43 UTC
Permalink
Post by Michał Dwużnik
Sorry for quick continuation...
Certificate added to nss DB in /etc/pki
certutil -A -d /etc/pki/ -n "IPA CA" -t CT,C,C -a -i pki/ca.crt
sssd configured according to
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html
How do I test now, before changing PAM options that the pieces fit together?
Perhaps exercise nss with:

% id admin
% getent passwd admin
% getent group admin

You can substitute admin for any IPA user or group.

And really you can skip the cert step if you want. Unless you have
something that will use it we put a cert on the system as a convenience
right now. There isn't currently anything using it by default.

rob
Post by Michał Dwużnik
(Sorry for being a bit too tired...)
M.
On Fri, Aug 30, 2013 at 1:49 AM, Michał Dwużnik
set up ntp, time synced with ipa server
test setup is done on
ipa.localdomain (server)
client.localdomain
(client on Scientific Linux 6.4, looks ok after ipa-client-install,
ssh works for test users tester and tester2)
client2.localdomain is the Debian Squeeze client
added host client2.localdomain on IPA server, added 'managedby', got
the keytab and put the 'client2.keytab' in /etc/krb5.keytab on client2
[realms]
LOCALDOMAIN = {
kdc = ipa.localdomain
admin_server = ipa.localdomain
}
[domain_realm]
.localdomain = LOCALDOMAIN
localdomain = LOCALDOMAIN
default_domain = localdomain
[libdefaults]
default_realm = LOCALDOMAIN
-su: klis: command not found
Ticket cache: FILE:/tmp/krb5cc_0
Valid starting Expires Service principal
Password changed.
I guess that's the point of snapshotting 'KRB done' state (can I be wrong?)
Server: 192.168.137.29
Address: 192.168.137.29#53
Name: ipa.localdomain
Address: 192.168.137.13
Server: 192.168.137.29
Address: 192.168.137.29#53
13.137.168.192.in-addr.arpa name = ipa.localdomain.
Now I guess it's time for certificates, where I do have some doubts...
certutil -R -d . -a -g 2048 -s 'CN=client2.localdomain,O=LOCALDOMAIN'
(in the /etc/pki dir) I paste the CSR and Issue the certificate for host
(/etc/pi contains newly created cert8.db key3.db secmod.db )
Which of those should be used to add the cert to?
(like certutil -A -d /etc/pki/nssdb -n "IPA CA" -t CT,C,C -a -i
/|/path/to/|/ca.crt)
-t CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
-t CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
-t CT,C,C -a -i ./ca.crt
certutil: function failed: security library: bad database.
Could someone show me my mistake?
Regards
Michal
On Thu, Aug 29, 2013 at 9:00 PM, Michał Dwużnik
As for now I have set up a 'known good' client on RH based
distro, to get the feeling how the config files
look like when configured correctly.
Thanks for the nice reference
M.
On Thu, Aug 29, 2013 at 7:56 PM, Rob Crittenden
Hi folks,
did anyone succeed in connecting such an old thing
recently to freeipa
server?
Is there a document (or an archive post) about
connecting a 'non ipa
aware' client step by step?
I got as far as woing Kerberos with no issues, hit a
wall with ldap part..
http://docs.fedoraproject.org/__en-US/Fedora/17/html/FreeIPA___Guide/linux-manual.html
<http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html>
rob
--
Michal Dwuznik
--
Michal Dwuznik
--
Michal Dwuznik
_______________________________________________
Freeipa-users mailing list
https://www.redhat.com/mailman/listinfo/freeipa-users
Jakub Hrozek
2013-08-30 08:36:34 UTC
Permalink
Post by Rob Crittenden
Post by Michał Dwużnik
Sorry for quick continuation...
Certificate added to nss DB in /etc/pki
certutil -A -d /etc/pki/ -n "IPA CA" -t CT,C,C -a -i pki/ca.crt
sssd configured according to
http://docs.fedoraproject.org/en-US/Fedora/17/html/FreeIPA_Guide/linux-manual.html
How do I test now, before changing PAM options that the pieces fit together?
% id admin
% getent passwd admin
% getent group admin
You can substitute admin for any IPA user or group.
And really you can skip the cert step if you want. Unless you have
something that will use it we put a cert on the system as a
convenience right now. There isn't currently anything using it by
default.
rob
On the client, one piece of functionality where you need the cert are
password migrations from LDAP to IPA. I don't think that's your case,
though.
Michał Dwużnik
2013-08-30 13:54:54 UTC
Permalink
This post might be inappropriate. Click to display it.
Jakub Hrozek
2013-08-30 14:48:17 UTC
Permalink
Post by Michał Dwużnik
Ok, I somehow assumed certs are very much needed for ldaps...
Well, for most operations the SSSD uses GSSAPI authentication. Only when
passwords are migrated, we do an LDAP bind with StartTLS.
Post by Michał Dwużnik
In the meantime, I set up a debian wheezy machine to try the freeipa-client
from debs.
I managed to get working ipa-client (with a few quirks...- default nss
database needed to be created) with packages from
deb http://apt.numeezy.fr wheezy main
deb-src http://apt.numeezy.fr wheezy main.
So now I have a ready set of debian-like configs for wheezy, making it work
with squeeze seems easier now (it comes with learning, too...)
I must admit ipa-client debug option is lovely as a step-by-step guide for
trying by hand :>
Going back to thinking whether to try getting ipa on squeeze or getting the
legacy software working with squeeze...
(some of the scientists seem to be the happiest if the system is totally
unchanged for some 20 years...).
Regards
Michal
PS:I do see hope for rooting out the last instance of NIS on the campus :>
Terminate it with extreme prejudice :-)

Continue reading on narkive:
Loading...